Tony G wrote: > Rather than using ENCRYPT(), or social engineering to discourage > people from using passwords at all, it's very easy to do this > with a .NET program called from BASIC: > > CLASS = "NebulaRnD.Security.TripleDES" > INFO = "I am a password" > KEY = "34M5945hjW4hvde87tsDcgkuy" > And there is the classic problem I referred to earlier. You have secured it with tripledes alright, but all I need do is run the strings command on your program and you just gave me the key. I could also write a very simple program to whip through system memory and find the key when it is in memory (might need fairly high privileges, but the program is probably running as the same user group as me...).
I can also replace your .Net assembly with one of my own that calls yours and emails me the keys as CALLdotNET (I want to shoot the person that made the 'dot' lower case), does not have a way to verify the assembly is the one you think you are calling. This stuff is way way more intricate to get correct than most people give credence to. Calling external programs in almost any way means you might as well not bother encrypting it, unless you just want to hide it from random prying eyes. Jim > USE.MD5 = 1 > PARAMS = INFO : CHAR(9) : KEY : CHAR(9) : USE.MD5 > CALLdotNET CLASS, "Encrypt", PARAMS > SETTING ENCRYPTED > ON ERROR GOSUB ENCRYPTION.ERROR > CRT ENCRYPTED > > The same can be done with CallJ and Java for *nix. > In case anyone is wondering, EXECUTE "encrypt ":INFO is not a > good solution. > Requests for supported solutions are welcome. > > Tony Gravagno > Nebula Research and Development > TG@ remove.pleaseNebula-RnD.com > Nebula R&D sells mv.NET and other Pick/MultiValue products > worldwide, and provides related development and training services > > > New release of NebulaXLite for jBASE available 22-jan > Generate attractive spreadsheets from BASIC for > Excel, Open Office, and Google Docs > remove.pleaseNebula-RnD.com/products/xlite.htm > > > > > --~--~---------~--~----~------------~-------~--~----~ Please read the posting guidelines at: http://groups.google.com/group/jBASE/web/Posting%20Guidelines IMPORTANT: Type T24: at the start of the subject line for questions specific to Globus/T24 To post, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit this group at http://groups.google.com/group/jBASE?hl=en -~----------~----~----~----~------~----~------~--~---
